TCP/IP protocols and the Internet Internet TCP/IP protocols Firewalls Overview What is the Internet - Getting onto it TCP/IP protocols - basics: IP addresses and Internet names - DHCP: managing client configuration - DNS: naming system - PPP: network between two points Firewalls Introduction to the Internet Born mid 1960s at height of cold war redundancy: many paths between two points designed to survive nuclear war not owned by any one organisation has no headquarters or command centre Uses the TCP/IP protocol I want my server on the Internet! There are two things you need: Choose an ISP (Internet Service Provider) ISP allocates one or more permanent IP addresses (more about this later.) You choose a name, set up a DNS Register name with HKNIC (Hong Kong Network Information Centre) at Chinese U, or with NIC in USA. Registering names, addresses Where to register a name? http://www.hknic.net.hk/hknic/ .or for a .com name, http://www.networksolutions.com/ Where to register an address? http://www.apnic.net/ - Also register reverse domain (in-addr.arpa) name address - (Sunday is a member; see http://www.apnic.net/apnic- bin/small-members.pl) Ask your ISP first before getting addresses yourself! TCP/IP Protocol Suite TCP/IP was originally developed for the ARPANET by the US DoD. ARPANET was started in 1960s, TCP/IP protocols was introduced in 1970s. TCP/IP protocol suite is very similar to the OSI 7- layer reference model. It includes TCP and IP specifications, and also specification for applications like e-mail, remote login, file transfer, etc.. Data Encapsulation Internet Protocol - Datagram IP uses datagram packet switching, each IP datagram has a max. length 65,535 bytes including a 60-byte header (20- byte + optional part). IP Addressing 64 bits in an IP datagram is used to represent the address of data terminals, 32 bits for the source and 32 bits for the destination. For easy human interface, 4 decimal numbers each separated by a `dot' are used to represent the 32 binary values. Each IP address has two parts, the network number and the host number. Network numbers are assigned by the Network Information Centre NIC, U.S. IP Address Classes There are 5 classes of IP address. Only the first three classes (A, B and C) are frequently used and can be distinguished by the first 3 bits. Class A networks: - first bit is 0 - from 1.0.0.0 to 126.0.0.0 Class B networks: - first two bits 10 - from 128.1.0.0 to 191.254.0.0 Class C networks: - first three bits 110 - from 192.0.1.0 to 223.255.254.0 Classless Inter-Domain Routing Classes A, B, C are now history. WHY? Class C too small, running out of class B! Solution: CIDR Specify network with two sets of numbers, e.g., 15/8 is the old class A network that starts with the bits 0001111. 128.32/16 is the old class B network 128.32.0.0 192.168.0.128/25 is the 128 IP addresses from 192.168.0.128 to 192.168.0.255 Examples Network and Subnetwork With a single network all hosts are attached together, no router required. If the same network is divided into several subnetworks (or, subnets), hosts can be separated by routers. This is a better network structure for easy network administration and future development. Use some host bits as additional network bits. Move dividing line between network bits and host bits. Subnet Mask To assign address/number to subnets, we need to borrow some `host' bits. The more bits borrowed, the more subnets allowed but less hosts then. `Subnet Mask' tells how many bits are assigned for subnet addressing - it can be in binary form - all the subnet bits set to `1', or, in the equivalent decimal. - a default `Subnet Mask' has no subnet bits, i.e. no subnet number available. Subnet Mask Examples Broadcast Addresses To broadcast a message to all the hosts on the network/subnet, all the `host' bits of the destination IP address are set to `1'. Two types of broadcast: Local broadcast involves only those hosts on the same network: 255.255.255.255 Directed broadcast involves those hosts on the specified IP network number; E.g., datagram sent to 192.168.129.255/24 will go to all hosts on 192.168.129/24. Broadcast Examples Internet Layer Internet layer of TCP/IP suite includes IP, ICMP, ARP, and RARP IP - delivery of datagrams ARP - find MAC address RARP - find IP address ARP and RARP ARP is used to map a known IP address to a MAC address (of network card). IP datagram is enclosed in a Ethernet/Token frame, so, MAC address is needed RARP is used to map a known MAC address to a IP address. This requires a RARP server with table of the IP/MAC mapping RARP is very limited; it only provides the IP address, and is obsolete. DHCP provides much more. See later. Transport Layer Two functions : flow control (sliding windows) and reliability (sequence no. & acknowledgment). Transmission Control Protocol ; reliable protocol for connection-oriented service ICMP- pass error messages and information for IP protocol User Datagram Protocol ; `unreliable' protocol for connectionless service Try to compare segment format of TCP & UDP to see why TCP is reliable and UDP is not. ICMP Internet Control Message Protocol is for sending IP error and control messages such as destination unreachable, echo, address request, time exceeded, etc. Destination unreachable - when a router receives a packet that it is unable to deliver the required destination Echo request, echo reply - generated by the ping command. TCP Segment TCP segment is enclosed in a IP datagram. Maximum length of a TCP segment = 65,535 - 20 = 65,515 bytes long (65,535 is the max length of a datagram and 20 is the minimum size of a datagram header). TCP header TCP Port Numbers For TCP to pass information to the upper layers. (UDP also uses port no.) Port number keep track of different applications being taken at the same time 16-bit port no. field - Standard port numbers for different applications Routing table Each computer has a routing table to see where to send a packet. Table just tells "the next step" Does not tell how datagram should go after the next step. At the next router, the decision will be made about which location the packet should be sent to next. To see the routing table On Windows machines, at an MSDOS prompt type: C:\WINDOWS>route print Network Address Netmask Gateway Address Interface Metric 0.0.0.0 0.0.0.0 202.40.215.254 202.40.215.205 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 202.40.215.0 255.255.255.0 202.40.215.205 202.40.215.205 1 202.40.215.205 255.255.255.255 127.0.0.1 127.0.0.1 1 202.40.215.255 255.255.255.255 202.40.215.205 202.40.215.205 1 224.0.0.0 224.0.0.0 202.40.215.205 202.40.215.205 1 255.255.255.255 255.255.255.255 202.40.215.205 0.0.0.0 1 On Linux machines, type: [root@www /etc]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.129.49 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 192.168.129.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.129.254 0.0.0.0 UG 0 0 0 eth0 Default gateway Notice in both tables the entry for network 0.0.0.0 That means, "to any other computer" The gateway address is the address to which all packets for the Internet should be sent. In your network settings, you will see an entry for default gateway. That is the address of the router that leads to the Internet. TCP/IP resources Many, many books are available; I like the O'Reilly books by Craig Hunt: TCP/IP Network Administration, 1998 Windows NT TCP/IP Network Administration, 1998. Andrew Tanenbaum's Computer Networks, PH, 1996 is a good general introduction. Cisco have very useful training material on their site. Have a look at http://www.cisco.com/univercd/cc/td/cisintwk/ito_doc/ ISC: Internet Software Consortium Much Internet software is a combination of reference implementations and recommendations by the IETF (Internet Engineering Task Force) The ISC is a non-profit organisation that provides free, quality Open Source reference implementations of: - BIND (Berkeley Internet Name Domain) (also called DNS) - DHCP (Dynamic Host Configuration Protocol) - INN (Internet News) See http://www.isc.org/ We examine their latest releases of BIND and DHCP. What is DNS? If you have ever used the Internet, then you have used DNS DNS is the Domain Name System. It maps names to IP adresses It maps IP addresses to names It is critical for the delivery of email. DNS: Domain Name System Names in the Internet in a hierarchy DNS is a distributed database humans like names, computers like numbers E.g., www.sunday.com <==> 202.4.192.60 many thousands of DNS servers each hold names and numbers for a set of computers in a domain examples of domains: com sunday.com DNS server for sunday.com is proxy.sunday.com - holds names of all computers of form xxxxx.sunday.com Domain system like file system 1 Domain system like file system 2 Domain system like file system 3 File system has a root directory (here called C:\) The domain name system has a root domain called `.' the file system has subdirectories within directories the DNS has subdomains within domains DNS has many top-level domains: edu, com, hk, net, au computers are like files. Computers are called hosts hosts can be in any domain lower than top level domain Zones and domains A zone is one group of managed names may be less than a domain Master and slave name servers A master name server is one where people have sat down and typed in the names for the computers and subdomains a slave name server is one that copies a whole zone from a master used to be called primary and secondary The data directly from a master or slave zone name server is authoritative DNS and caching name servers remember what they learned called caching saves a lot of work for name servers near root domain cached data is non-authoritative (probably can trust it) master and slave zone data is authoritative (can trust it) Some name servers are not authoritative for any zone; they are called caching only name servers. Resolver: the client side of DNS Resolvers are the clients that acess name servers. The purpose of DNS is mapping names <==> addresses for ordinary computers using the Internet Resolvers ask name servers, give answers to client programs like IE, Netscape, ftp, telnet, ping, . Most resolvers are simple, and do not cache. Resolvers have a list of up to three name servers. they ask the first; only if it fails to answer do they ask the second, then finally the third. DNS: an example Resolver asks name server X for IP address of www.Sunday.com NS X asks root server `.' for www.Sunday.com `.' server gives list of com servers NS X asks com NS for www.Sunday.com com NS tells X the NS for Sunday.com NS X asks Sunday.com's NS for www.Sunday.com Sunday.com's NS tells X the IP address 202.4.192.60 NS X tells the resolver 202.4.192.60 Doesn't root server suffer overload? If every query started at a root server `.' then it would fail But it survives! WHY? Because the name servers remember answers to previous queries (for a while). Yes, that's called caching. Setting up your own name server Yes, you can do it! First we show you the hard way, then the easy way. We look at the configuration of BIND 8.2.1 (latest version) Most of the configuration consists of creating "data base files", which are text files containing records Types of records: - SOA start of authority-indicates authority for this zone - NS name server record-lists a name server for this zone - A address record-name-to-address mapping - PTR pointer records-address-to-name mapping - CNAME canonical name-for aliases Create the data record files Now quite frankly, the syntax for these files is a little more complicated than some people like. If you manage a name server, then you will learn the syntax. But too easy to make a mistake. You need the DNS and BIND book. Typing the data directly into the files is the HARD way So what's the easy way?... DNS the easy way! God has been good to name server administrators We have Paul Albitz and Cricket Liu who wrote the Cricket book: .and who also wrote the software h2n (host to nameserver) get it from: Setting up Sunday.com: steps Install Red Hat Linux (which comes with BIND 8.2) download h2n from URL on previous page, install it create a hosts file containing the information: IP address full domain name alias alias alias . As the user root, copy this file to /var/named (say it is called hosts, for example) Execute this command: h2n -d sunday.com -n 192.168.0 -h monday -u admin@sunday.com -y -H hosts -v 8 -b named.conf copy the file named.conf to /etc start the name server with ndc restart.and you're done! What was that `hosts' file? A hosts file could look like this: 192.168.0.1 monday.sunday.com mon 192.168.0.2 tuesday.sunday.com tue 192.168.0.3 wednesday.sunday.com wed 192.168.0.4 thursday.sunday.com thur 192.168.0.5 friday.sunday.com fri 192.168.0.6 saturday.sunday.com sat 192.168.0.7 sunday.sunday.com sun .But there's an even easier way! See later... nslookup: tool to test DNS Okay, does my name server work? How do I check it? Use the nslookup program, and. the name server log files nslookup: provided with NT, Linux, Unix,... nslookup: example: Sunday.com [nicku@nickpc short-course-sunday]$ nslookup Default Server: is3.vtc.edu.hk Address: 202.40.209.220 > www.sunday.com Server: is3.vtc.edu.hk Address: 202.40.209.220 Non-authoritative answer: Name: www.sunday.com Address: 202.4.192.60 DNS resources Paul Albitz and Cricket Liu, DNS and BIND, O'Reilly, 1998. Download BIND from ftp://ftp.isc.org/isc/bind/ web sites: http://www.isc.org/, select BIND http://www.dns.net/dnsrd/ "Ask Mr. DNS": http://www.acmebw.com/askmr.htm (Yes, Mr DNS can help you too, just as he helped me!) newsgroup comp.protocols.dns.bind mailing list: from ISC BIND site (very helpful) DHCP: easy TCP/IP management DHCP = dynamic host configuration protocol maps Ethernet addresses to IP addresses + lots more No DHCP: Disaster! Novell IPX, Microsoft SMB rely on broadcasts. Okay for a small LAN, but not on the Internet! TCP/IP requires each network interface have a unique IP address. If any two are the same, oh dear, neither of them work properly! People like to choose their own address Result: "network is down!" DHCP: what a great help! DHCP can allocate (almost) all TCP/IP parameters automatically! IP address, subnet mask, DNS address, default gateway, WINS server, plus many, many more. All managed centrally. As soon as plug a computer into network, it gets an address: people no longer "guess" their own addresses! It all works! What a relief! DHCP: how it works DHCP: two ways to provide an address: dynamically: pick an address from a range statically: a fixed IP address for a particular Ethernet address. DHCP: what does it give you? (unique) IP Address netmask Default gateway name servers WINS servers different policies for various conditions, e.g. - different brands of Ethernet card get different range of addresses Each machine is given a lease which expires, before which the machine must renew the lease with the DHCP server. DHCP + DNS: a team DHCP: MAC ===> IP DNS: IP <===> name How use together? Soon: secure dynamic updates We do now: Excel spreadsheet contains computer info two Perl programs reads this, generate the configuration files for both DNS and DHCP. Advantage: one source of info ==> both systems. Demonstration Excel spreadsheet with the fields: Save this file as sunday-ip-address.txt, as: Text (tab delimited) Put sunday-ip-address.txt in the /var/named directory. Making DNS configuration Then change directory to /var/named. ...and execute: make-dns-conf-sunday sunday-ip-address.txt Then copy the file named.conf to the directory /etc restart the name server with ndc restart .and that's it! Just watch the logs, and test it with nslookup. Making DHCP configuration Get and install a recent version of DHCP (I use version 3). The one with Red Hat 6.0 (dhcp-2.0bpl6) is out of date. I maintain a package of the latest version; please ask if you want it. cd /var/named make-dhcp-conf-sunday sunday-ip-address.txt > /etc/dhcpd.conf /etc/rc.d/init.d/dhcpd restart .then just watch the logs; that's it! These programs available to you I wrote these tools (make-dhcp-conf and make-dns-db) to maintain our Departmental DNS and DHCP server They are available to you You are welcome to try them out yourself and ask me questions about them in the future as well as now. Originally intended to meet our local needs, I plan to extend them to make them more general purpose. I have already written make-dhcpd-conf-general You have a printed copy of the manual and source code. Ask if you want a soft copy. DHCP: troubleshooting Two main tools: on the server, watch the log files on the windows client, use the program winipcfg If DHCP is working correctly, clicking on renew will cause the date to advance, and the parameters will be correct. Make sure you have selected the Ethernet card, and not the PPP interface! DHCP resources Most sources of information about DHCP are online, since it is an evolving protocol that just gets better with time. Download from ftp://ftp.isc.org/isc/dhcp/ Web site: go to http://www.isc.org/ and select DHCP mailing lists: also find these from the ISC web site (Very helpful!) full documentation comes with the software RFCs and IETF drafts: ftp://ftp.isi.edu/internet- drafts, ftp://ftp.is.co.za/rfc/ PPP: Point to Point Protocol TCP/IP can be carried over many physical media, including Ethernet, FDDI, microwave, infra red,. .but one media is important for us at home: the telephone and modem. Over the telephone we use PPP to carry TCP/IP to and from our ISP. Over PPP we can browse the web, use telnet, ftp-every TCP/IP protocol PPP: what it does Can carry TCP/IP and other protocols (e.g., Novell IPX, Appletalk, DECnet,...), at the same time links two hosts/networks together negotiates the communication between the two hosts detects and discards errors supports negotiating compression and encryption supports establishing IP addresses required at each end supports authentication Can be used to "tunnel" data through the Internet PPP: what it doesn't do Flow control: network layer handles lost frames. Serial interfaces provide flow control. Error correction: network layer's responsibility Resequencing: PPP assumes all frames sent remain in order. This assumption is true for many physical serial connections. PPP: some ancient history: SLIP In the beginning (early 80's) there was SLIP (Serial Line Internet Protocol) RFC-1055 defines SLIP as a "non-standard" It only supports TCP/IP It doesn't do negotiation of communication parameters, error detection, error correction, or compression It is obsolete Don't use it unless you really, really, really have to. PPP: some advantages PPP is an IETF standard - so fewer problems about working between different implementations it is extensible backwardly compatible - older implementations work with newer ones - older implementation can reject capabilities it doesn't understand. PPP: A data layer protocol PPP is a data link layer protocol (in the ISO seven- layer model) It works at the same level as IEEE 802.3, CSMA/CD on Ethernet. Later, we will see that it can be used over higher level protocols to encapsulate data. This is called tunnelling. PPP: frame format Flag: 01111110 identifies start and end of frame. Protocol: identifes type of information in data/padding Frame Check Sequence (FCS) verify data integrity. PPP protocol field Value Protocol Type 0021 Internet protocol Network layer 002d Van Jacobson Compressed TCP/IP Network layer 00fd compressed datagram 8021 Internet Protocol Control Protocol NCP c021 Link control protocol (LCP) c023 Password Authentication Protocol (PAP) c023 Link quality report c223 Challenge Handshake Authentication protocol (CHAP) Protocol field 2 Identifies what is in the data/padding fields Allows many protocols to share one serial connection Also identifies frames used for PPP control: - LCP: to establish start, finish, and maintain PPP link - IPCP: to set up IP addresses, IP compression protocol Octet stuffing Used to protect some characters from wrong interpretation E.g., if want a flag character in the middle of the data XON, XOFF characters may be used for flow control Maintain an "asynchronous control character map" (ACCM), or asyncmap. All occurrences of flag, 0x7d and all chars in asyncmap replaced by two bytes: 0x7d then the char XORed with 0x20 receiver reverses the stuffing operation. PPP is peer to peer PPP protocol is democratic: it joins two equals No distinction between calling and called party same software can be used at each end PAP authentication One side requests authentication other side sends PAP name and password in one frame. Password and name sent as clear text (not encrypted). CHAP authentication Both sides agree to use CHAP one side sends the other its chap name and a random string other side transforms this string (usually using MD5) using its own secret key, and sends the result back the first machine uses its own copy of the secret key to see if the other side used the correct secret key. The first machine then sends a success or failure acknowledgement. No passwords are sent, neither in clear text nor encrypted. PPP resources Andrew Sun, Using & Managing PPP, O'Reilly, 1999. Newsgroup comp.protocols.ppp A quality Open Source implementation of PPP by Paul Mackerras is available from ftp://cs.aun.edu.au/pub/software/ppp/ redhat-ppp mailing list (see www.redhat.com) RFCs and IETF drafts: ftp://ftp.isi.edu/internet- drafts, ftp://ftp.is.co.za/rfc/ Start with RFC-1661 and RFC- 1662. Firewalls: what are they? If a LAN with hundreds of computers is connected directly to the Internet, a BAD GUYTM may crack any one of them; the administrator does not know which one. In an open LAN, all machines must be secure. However, it is more common to see flocks of flying pigs. A firewall is a specially configured gateway between the outside world and the site's inner network. All traffic must go through the gateway. Firewalls: How do they work? A firewall runs software that determines whether to allow some network traffic in or to block it. Monitor the firewall machine carefully Firewall records (logs) any suspicious activity Make the firewall machine as secure as possible provides only the firewall function, no others If the gateway is secure, the LAN is secure. Application proxies, packet filters Two types of firewall: application proxies (we will demonstrate one today) packet filtering firewalls (usually with stateful inspection) Application gateway firewalls: - One client, one server for each protocol (called a proxy). - client receives, examines content, and decides whether to serve to the target user - each new protocol needs a new proxy. Packet filtering firewalls: - examine packet headers only, ignore content Difference: application vs. filter Because application gateways examine the content of each packet as well as the packet headers themselves, they may take more computing power, but may be more secure. - They do not easily adapt to new protocols - Need modified clients (e.g., Netscape or IE) Packet filter: - faster, more efficient, often implemented as a router. - can adapt to new protocols - clients may not need to be aware of the firewall. - But less logging (usually, especially when it is really just a router). - Filtering rules often easy to get wrong Choosing a firewall: criteria Unix or NT? Depends on your experience. Go with what you know. Does it handle all the protocols you need (e.g., RealAudio, Quicktime, S-HTTP)? Can it handle the traffic? Extensive logging and tools to analyse logs are very important Is it easy to administer? Is it simple? Simpler systems are often more secure. Does it support VPN using IPSec? Firewalls: some manufacturers 1 Netscreen 100 (www.netscreen.com) (rated best in June Data Communications: http://www.data.com/issue/990521/firewalls.html) AltaVista (was owned by Compac) Sidewinder (www.SecureComputing.com) CyberGuard (www.cyberguard.com) (rated best in DC) Raptor FW & VPN server 6.0 www.axent.com/products/rsbu/firewall/default.htm Firewalls: some manufacturers 2 Firewall-1 (Checkpoint Software Technologies: www.checkpoint.com) Gauntlet (Previously trusted Information Systems, now Network associates: www.nai.com) Lucent Managed Firewall/4.0 (www.lucent.com/security/) Bordermanager Firewall Services/3 (www.novell.com/products/bordermanager) ESX-4800 with Firewall Switching Agent Forethought 6.0 (www.fore.com) Firewalls: availability 2 Sunday.com is currently being managed by AT&T. Their VPN service is implemented using the WatchGuard Firebox II (see http://www.att.net.hk/products/faq.html). WatchGuard Firebox II is implemented using the Linux operating system: www.watchguard.com Sophisticated packet filtering capability is built into the Linux kernel, and can be configured using IPchains. Firewall architectures We will briefly look at these architectures: - dual homed host architecture - screened subnet architecture Dual homed host The dual homed host has two network interfaces It is non-routing (IP forwarding must be turned off). Screened subnet architecture Private IP addresses Machines inside the firewall should use private IP addresses, specified by RFC-1597: 10/8 172.16/12 192.168/16 ..or be allocated addresses by your ISP. Do not just pluck numbers out of the air, or you will not be able to connect to those real Internet addresses when you need to do so. Security >> firewalls Security is a major topic It involves issues such as: - file permissions, - user account management, - system monitoring, - understanding vulnerabilities of various protocols - use of encryption - reliable authentication methods - system backups .as well as firewalls. Demonstration of TIS firewall Here we demonstrate use of telnet, web access through the gateway Use of hunt, a crackers tool for hijacking connections and sniffing passwords (available from http://www.cri.cz/kra/) Avoiding the cracker by using encryption with SSH. Firewall resources D. B. Chapman & E. D. Zwicky, Building Internet Firewalls, O'Reilly. Contains practical filtering rule information for those who want to build their own. Linux Firewall and Security Site: http://rlz.ne.mediaone.net/linux/ - Provides links to many other useful sites. Data Communications (www.data.com) annually review firewalls and perform detailed comparisons. See http://www.data.com/issue/990521/firewalls.html. Conclusion We have had a brief look at: - TCP/IP - DNS - DHCP - PPP - Firewalls There is much more to setting up an ISP or Intranet than these; other issues include email, internet news, encryption and web server configuration. Please feel free to ask I am happy to offer practical help to any of you with any of the issues I have covered today, particularly with DNS and DHCP. I maintain Red Hat packages for BIND, DHCP and configuration tools. Ask if you want any of them. You are welcome to contact me at my email addresses: Nick Urbanik nicku@vtc.edu.hk nicku@iohk.com